You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@streampipes.apache.org by "Dominik Riemer (Jira)" <ji...@apache.org> on 2022/11/17 17:51:00 UTC

[jira] [Closed] (STREAMPIPES-519) multiple insecure libs used in streampipes

     [ https://issues.apache.org/jira/browse/STREAMPIPES-519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dominik Riemer closed STREAMPIPES-519.
--------------------------------------
    Resolution: Fixed

> multiple insecure libs used in streampipes
> ------------------------------------------
>
>                 Key: STREAMPIPES-519
>                 URL: https://issues.apache.org/jira/browse/STREAMPIPES-519
>             Project: StreamPipes
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available, suggestion-done
>
> I ran a dependabot analysis using github and there were 74 issues - some are the ame issue appearing in multiple subprojects.
> Unfortunately, github do not appear to allow me to share these results. To reprodice, fork streampipes in github and go to security tab and enable dependabot alerts.
> some java issues
> * log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
> * jetty should be upgraded (eg 9.4.45) https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
> * commons-beanutils upgrade to 1.9.4 https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
> * guava https://mvnrepository.com/artifact/com.google.guava/guava
> * shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
> * log4jv1 is used in some places - this jar is end of life and full of CVE issues - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * commons-compress needs upgrading - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * snakeyaml needs upgrading in https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
> * postgresql jar needs upgrading - see https://github.com/advisories/GHSA-673j-qm5f-xpv8
> * nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
> * amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
> * netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
> pips
> * waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
> * jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
> npms
> * many
> * including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm



--
This message was sent by Atlassian Jira
(v8.20.10#820010)